### API Access Kubernetes utilizes a powerful REST-based API that is central to its architecture. Understanding the API's structure and endpoints is crucial for efficient cluster management. With each Kubernetes release, the API evolves, and deprecated objects in newer versions are no longer supported starting with v1.16. #### RESTful API The `kubectl` command-line tool makes API calls on your behalf, utilizing standard HTTP verbs (GET, POST, DELETE). These calls can also be made directly using tools like `curl`. For example, to list all Pods, you could use: ```bash $ curl --cert userbob.pem --key userBob-key.pem --cacert /path/to/ca.pem https://k8sServer:6443/api/v1/pods ``` This capability allows for flexible debugging and scripting. ### Checking Access Security and permissions are crucial in Kubernetes. You can check the current authorizations for users with the `kubectl auth can-i` command: ```bash $ kubectl auth can-i create deployments $ kubectl auth can-i create deployments --as bob $ kubectl auth can-i create deployments --as bob --namespace developer ``` Three main APIs help set and query permissions: - **SelfSubjectAccessReview**: Reviews access for the current user. - **LocalSubjectAccessReview**: Reviews access within a specific namespace. - **SelfSubjectRulesReview**: Lists allowed actions for a user within a namespace. Using `reconcile` checks authorization necessary to create an object from a file. ### Optimistic Concurrency Kubernetes employs optimistic concurrency using `resourceVersion`. When updating an object, if the `resourceVersion` has changed, a 409 CONFLICT error is returned, indicating the object has been modified by another process. This ensures consistency without locking resources. ### Using Annotations Annotations provide a way to attach metadata to Kubernetes objects. Unlike labels, annotations are not used to identify objects but to store additional information. For example, to annotate all Pods within a namespace: ```bash $ kubectl annotate pods --all description='Production Pods' -n prod $ kubectl annotate --overwrite pod webpod description="Old Production Pods" -n prod $ kubectl -n prod annotate pod webpod description- ``` Annotations are useful for adding metadata such as timestamps, links to external systems, or developer information. ### Simple Pod A Pod is the fundamental compute unit in Kubernetes, often comprising a primary container and one or more auxiliary containers. Here is an example of a simple Pod manifest in YAML: ```yaml apiVersion: v1 kind: Pod metadata: name: firstpod spec: containers: - image: nginx name: stan ``` Create the Pod using `kubectl`: ```bash $ kubectl create -f simple.yaml $ kubectl get pods $ kubectl get pod firstpod -o yaml $ kubectl get pod firstpod -o json ``` ### Manage API Resources with kubectl `kubectl` exposes resources via RESTful API calls, allowing management through standard HTTP verbs. For verbose output, use the `--v` flag: ```bash $ kubectl --v=10 get pods firstpod ``` This command shows detailed information about the API calls made by `kubectl`. ### Access from Outside the Cluster You can access the Kubernetes API from outside the cluster using `kubectl` or `curl`. The configuration is stored in `~/.kube/config`, which includes cluster details and credentials. To view the configuration: ```bash $ kubectl config view ``` ### Namespaces Namespaces in Kubernetes are used to separate resources within a cluster, providing isolation and resource quotas. By default, four namespaces are created: - `default` - `kube-node-lease` - `kube-public` - `kube-system` Create and manage namespaces with `kubectl`: ```bash $ kubectl get ns $ kubectl create ns linuxcon $ kubectl describe ns linuxcon $ kubectl get ns/linuxcon -o yaml $ kubectl delete ns/linuxcon ``` You can reference namespaces in resource manifests: ```yaml apiVersion: v1 kind: Pod metadata: name: redis namespace: linuxcon ``` ### Additional Resource Methods Kubernetes API provides endpoints for interacting with containers, such as accessing logs, executing commands, and watching resource changes: ```bash $ curl --cert /tmp/client.pem --key /tmp/client-key.pem --cacert /tmp/ca.pem -v -XGET https://10.128.0.3:6443/api/v1/namespaces/default/pods/firstpod/log ``` This is equivalent to: ```bash $ kubectl logs firstpod ``` ### Swagger and OpenAPI Kubernetes APIs are built using the Swagger specification, now evolving towards OpenAPI. This standard allows for auto-generating client code and provides comprehensive documentation of the API. You can browse the API groups via a Swagger UI on the [OpenAPI Specification webpage](https://swagger.io/specification/) ### Conclusion Understanding Kubernetes APIs and access mechanisms is crucial for efficient cluster management. Leveraging Kubernetes for machine learning workloads further enhances its utility, providing scalable and resilient solutions for complex applications. Continue: [[05-API Objects]]